topic Re: False Negative with Threat Emulation in Firewall and Security Management

False Negative with Threat Emulation

Ryan_St__Germai — Sat, 09 Mar 2019 01:13:37 GMT

Hey guys,

I just saw a Tweet regarding a ransomware payload with a low Ant-Virus detection rate. I grabbed a copy of it and ran the sample through the sandblast analysis website. The result is coming back as clean.

App.any.run shows obvious malicious behavior: LockerGoga.exe (MD5: 16BCC3B7F32C41E7C7222BF37FE39FE6) - Interactive analysis - ANY.RUN

Tweet:MalwareHunterTeam on Twitter: "Let me present you, in 2019 March, a signed LockerGoga ransomware sample that is not cryp…

MD5: 16bcc3b7f32c41e7c7222bf37fe39fe6

SHA1: a25bc5442c86bdeb0dec6583f0e80e241745fb73

Just wanted to give a heads up in case the system is in fact not detecting this as malicious.

Re: False Negative with Threat Emulation

Mark_Mitchell — Sat, 09 Mar 2019 08:33:17 GMT

Hi Ryan,

Thanks for the heads up. Have you also raised it with TAC?

Regards

Mark

Re: False Negative with Threat Emulation

PhoneBoy — Sun, 10 Mar 2019 10:17:25 GMT

I'll have someone in our Threat Operations team have a look at it.

Re: False Negative with Threat Emulation

PhoneBoy — Sun, 10 Mar 2019 11:27:05 GMT

Looks like we're properly detecting this both with Threat Emulation and AV.

If you're still seeing it not detected, please engage with our TAC.

Re: False Negative with Threat Emulation

Maciej_Maczka — Wed, 13 Mar 2019 09:41:33 GMT

Hi,

I noticed that Threat Emulation website does not give the same result as appliance does (with default settings).

I had few cases where Sanblast Network said: malware, but result from website was opposite.

MMM